Skip to content

chore(sync): align rookery with judge monorepo subtree#277

Merged
colek42 merged 1 commit into
mainfrom
judge-upstream-sync
Jun 4, 2026
Merged

chore(sync): align rookery with judge monorepo subtree#277
colek42 merged 1 commit into
mainfrom
judge-upstream-sync

Conversation

@colek42
Copy link
Copy Markdown
Contributor

@colek42 colek42 commented Jun 4, 2026

What

Aligns aflock-ai/rookery main with the judge monorepo's subtrees/rookery/
(judge origin/main), bringing rookery up to date with everything the monorepo
has developed since the last full sync (rookery #252 / afea23b3), while
preserving rookery's own cilock.dev release fixes that the monorepo had not
yet synced back.

This is intended as the final reconciliation PR before rookery becomes a
release mirror of the monorepo (judge = source of truth; rookery updated on
release).

How it was reconciled

The two trees diverged in both directions since the last sync. I used a
content 3-way merge (base = rookery afea23b3, ours = judge origin/main
subtree, theirs = rookery main/#272) and found judge is +6,141 / −475
vs rookery — i.e. judge is the superset almost everywhere, having already
absorbed rookery #253–#269 via the monorepo's per-PR syncs. Only 3 files
were genuinely ahead on the rookery side, all in the cilock.dev release path.

Area Decision Why
commandrun v0.2 producer (signed key-guard evidence + all-env eBPF sentinel), evidence-based SLSA verdict, policy verify/validate UX, attestor skip-hints, consolidated keyless/auth take judge Proven by merged monorepo PRs; judge is a strict superset (the rookery-side deltas are older, pre-refactor versions of the same functions).
release.yml keep rookery (#270) --step "release-build" so the attestation collection name matches the single policy step (per-arch names surface as ErrNoCollections).
deploy/cilock/install.sh keep rookery (#272) cilock version (the --version flag does not exist).
deploy/cilock/release.policy.json keep rookery + 1 fix (#270) Native aflock.ai/* types + jwt.claims.{repository,ref_type} rego (the witness.dev/input.repository form was silently vacuous). Bumped command-run v0.1 → v0.2 to match what cilock now emits (V02PredicateType).
detection + testkit already reconciled judge already carries rookery's detection/testkit (synced via the monorepo #5179); no divergence.

Verification

  • cilock and attestation modules build clean (GOWORK=off go build ./...).
  • Tests pass: cilock/internal/{options,cli,config,auth,policy}, plugins/attestors/commandrun (v0.2), attestation/{policy,source}.

Follow-up (not in this PR)

After this lands, rookery is intended to be locked to mirror-only (no direct
PRs; mirrored from the monorepo on release).

🤖 Generated with Claude Code

@colek42 @claude @cole-rgb
chore(sync): align rookery with judge monorepo subtree
42fdba7 
Brings rookery up to date with the judge monorepo's subtrees/rookery
(origin/main) — commandrun v0.2 producer + signed key-guard evidence +
all-env eBPF sentinel, evidence-based SLSA verdict, policy verify/validate
UX, attestor skip-hints, and the consolidated keyless/auth work.

Preserves rookery's cilock.dev release pipeline (the #270/#272 fixes judge
had not yet synced): release.yml uses --step release-build (collection
name matches the policy step), install.sh uses 'cilock version', and
release.policy.json uses native aflock.ai types + jwt.claims rego — with
command-run bumped v0.1 to v0.2 to match what cilock now emits.

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
@colek42 colek42 marked this pull request as ready for review June 4, 2026 12:58
@colek42 colek42 merged commit 3007932 into main Jun 4, 2026
30 of 33 checks passed
@colek42 colek42 deleted the judge-upstream-sync branch June 4, 2026 12:59
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@colek42